Security Vendor vs. Cybercriminal

Shortly after my Security Absurdity article was posted online, we witnessed a remarkable series of events which illustrates quite clearly that cybercriminals are indeed currently winning the battle.

In my article, I mentioned that one of the challenges security professionals face is that cyberspace’s digital battlefield heavily favors the cybercriminal. The freedom, privacy, and anonymity cyberspace offers gives cybercriminals the opportunity and confidence to target victims around the world with little chance of being caught. Spam is so prevalent because the economics of spam are attractive for both the spammers and the companies that pay them to spam.

Anti-spam vendor Blue Security aimed to change all this by rewriting the rules of the game with an unconventional – yet by all measures highly effective – method. Blue Security plan was to make cyberspace socially, technically, and legally hostile to cybercriminals. (More on this topic in a future post.)

Blue Security’s approach to reducing unsolicited email is to combine a Do-Not-Email registry with a mechanism that automates and simplifies the user’s process of sending an opt-out email message. Under the US CAN-SPAM Act of 2003, individuals are legally allowed to send an opt-out email and Blue Security was simply automating this ability. If messages are sent to Blue Security customers, in violation of Blue Security’s Do Not Email registry, Blue Security identifies the merchant advertised in the messages and issues an initial complaint and tries to resolve the situation. If the initial complaint is not resolved satisfactorily within a ten day grace period, Blue Security instructs their Blue Frog agent installed on each of their customer’s computers to automatically send an opt-out email message to the merchant responsible for the spam. The fundamental economics of sending unsolicited emails change when this happens, because the sender now has to ensure that they have the resources to handle the flood of legitimate opt-out requests. (More details on Blue Security’s model can be found here.)

Some have inaccurately described the Blue Security model as a DDOS. Sending spam, and hiring individuals to hijack computers in order to build botnets which can then be used to send spam is illegal. Under CAN-SPAM, individuals are legally allowed to send an opt-out email and Blue Security was simply automating this ability. The risk with any “strike-back” technology was that the wrong sites and individuals may be hit. Blue Security had a number of safeguards against this by attempting to contact the site and resolve the situation before starting an automated opt-out response. Allowing any individual to launch their own DDOS attack against spam sites at their whim would be dangerous and irresponsible. However, Blue Security had a responsible model with built-in safeguards. And one thing that can’t be argued is that it was successful in reducing the appeal of sending spam. According to Blue Security, 6 out of 10 top spammers were complying with Blue Securityâ�?��?�s Do-Not-Email registry.

It was so successful, in fact, that a spammer (or group of spammers) known as PharmaMaster decided to fight back. PharmaMaster instructed his botnet to launch a DDOS attack against Blue Security. The resulting DDOS attack was so severe that it shut down:

Tucows chief executive Elliot Noss called the attack “by far the largest the company had ever seen” and said that only a handful of companies have the infrastructure in place to withstand such an assault. In cyberspace, a single anti-spam vendor was no match for PharmaMaster. Shortly after the attack began, Blue Security closed up shop.

Lessons Learned:

1) In order to be successful against cybercriminals, we must make cyberspace socially, technically, and legally hostile to them. Blue Security model – while unconventional – worked.

2) A small groups of spammers were able to easily shut down a number of large web sites which had considerable DDOS defenses already in place. They were able to do this without detection and without repercussions. The fact that these cybercriminals have this much control over cyberspace should be of much concern to everyone.

3) A single anti-spam vendor was no match for the resources that cybercriminals have. That is why any effort to stop cybercriminals must take industry and community-wide initiatives and support.

Todd Underwood, chief of operations and security for Renesys Corp., a company that monitors Internet connectivity, remarked that this event was, “extremely unfortunate, because it shows how much the spammers are winning this battle.”

9 Responses to “Security Vendor vs. Cybercriminal”

Bill Says:June 5th, 2006 at 2:10 amTo my mind this DDOS is a law and order issue. Spammers using botnets are clearly breaking the law. Law enforcement agencies need to investigate and charge the people carrying out these activities.Spammers will stop these activities if they beleive that they will be caught and charged with criminal offences. However, at the moment they know they can get away with it.

Jimi Loo Says:June 5th, 2006 at 7:31 pmAnother good article highlighting what cyberspace is really like. We often hear on the news about hackers being found and arrested on the news giving people a sense of security, but the reality is these reports are the exception and not the norm. What the news never mentions is that the vast majority criminals are never caught and are still at large.

Sierra Bravo Says:June 5th, 2006 at 10:06 pmWe urgently need an aggressive, spammer-hostile, international legal regime. A few of these bot-masters need to be punished in a manner that will discourage others.If not, any script kiddo will soon be able to take down any site…s.b.

toby Says:June 9th, 2006 at 8:21 amThe internet was practically designed for this kind of abuse. Is it any surprise that it happens?If ther spammers reside in a coutry that cares about such things, then they should be found and charged with *something*. If they reside in a country that doesn’t care much about catching these people, well, why don’t we just block that country’s IPs until they get their act together?

Bert Says:June 9th, 2006 at 8:36 pmThe internet was designed to keep bad guys out while being completely open to legitimate users once they were in. With the advent of the World Wide Web and access for everyone, that model died. Now everyone can get in, so the bad guys can make use of the open nature designed into the internet.

Omer Taran Says:July 20th, 2006 at 1:08 pmYou may be right, but it won\’t get you anywhere.Spam is lucrative. More than fighting it.
If you want to fight make sur eyou have enough firepower (military ratio is 3:1).You want to kill spam? Make it less lucrative.

Nathan Says:November 30th, 2006 at 7:53 am(Reply to Responses 1 to 5 and 8)Regulating the internet sounds very much like a good idea.
In fact, the government has been itching to get in on the action there for years now.
An international internet monitoring system, a sort of “internetpol” would, to a certain degree, reduce the privacy and anonymity of the internet, and greatly increase the accountability of spammers.
The sooner that international organizations band together to monitor and regulate their sections of the internet, the sooner we can say goodbye to spam and fraud.
Besides, in a country where not buckling your seat belt is against the law, and putting your tray down for an airport landing can send you to jail, what lawmaker would object to laws to help monitor spammers?(for those of you who lobbied for and respect the last two laws I mentioned, this is “embittered sarcasm” in its unadulterated form)